On December 1, the Wiesbaden Administrative Court in Germany issued an unprecedented decision stating that companies can’t use a cookie management provider that is relying on a service based in the United States to collect data, regardless of whether the data leaves the EU.
Since many Consent Management Platforms operate from the EU but rely on a US-based service, they might be in trouble – companies would not be able to collect user data relying on their services, therefore such management platforms could lose a big chunk of customers in the EU.
However, such a decision by the German court will not affect CookieScript and its services. Keep reading the article to find out why choosing CookieScript as your provider will keep you out of trouble.
Case Overview and Why Problems Arose
Although this decision by the German court to ban US-relied cookie management providers was made at the interim injunction stage and could still be modified if the case proceeds to trial, such implications shouldn’t be overlooked even at the early stages.
Let’s give an example to understand the situation better. A cookie management platform Cookiebot, from the Danish company Cybot, has had one of its cookie banners placed on The Rhine-Main University of Applied Sciences website. As noted in CookieScript’s previous articles, a cookie banner is a small notice board that is used for websites to get user consent to collect user data, such as IP addresses, browsing activity, and so on. Here you can see how a Cookie Banner looks like:
While Cookiebot did everything in compliance with EU General Data Protection Regulation (GDPR) and stated all the necessary information in their banner before collecting data, the problem was how Cookiebot collected all the data. To collect it, the company used a US-based content delivery network Akamai Technologies.
To emphasize, the German court appeared to accept that Akamai Technologies could have stored Cookiebot data on EU servers, (and not in the US), which suggests Cookiebot’s agreement is with Akamai’s German affiliate. However, the court ruled this was irrelevant. It held that the mere use of a US-based provider to collect IP addresses and user key data was an unlawful transfer.
Here are the reasons why:
- As the Court of Justice of the European Union notes, IP addresses, as well as user key data are personal data.
- A US cloud provider can be obligated to produce all data in its possession, custody, or control to US agencies, regardless of whether the data is stored in or outside the US (Clarifying Lawful Overseas Use of Data Act). While the court never evaluated that a data transfer occurred, it can assume that it can happen even if data never leaves the EU, since it is processed on Akamai Technologies servers in a third country, in this case, the United States.
The court did not state whether there was any significant risk created for the users, therefore it is unclear what possible dangers would users face if their IP addresses were stored on US servers. However, there are a few technical details to consider when choosing your cookie management platform to ensure that such problems never arise for your data.
Technical and Legal Reasons
Such unprecedented decision that companies can’t use a cookie management provider that is relying on a service based in the United States to collect data, regardless of whether the data leaves the EU has its reasons.
The main reason for this decision is to prohibit data processing even when personal data is stored in the EU and never leaves the EU. Especially since this German court case claimed that all “website plugins that are hosted and loaded by a cloud service with any U.S. connection” now create “impermissible data transfers.”
For most cookie management providers, such news is not eagerly anticipated. Since many of them rely on a US-based service to collect data can bring companies to a potential closure since user data can be in trouble.
It is important to know that such companies rely on others’ services. One of such providers is Cloudflare, for example. Cloudflare is a US-based Content Delivery Network (CDN) that most cookie management providers use and it’s a network of servers that aims to distribute content to the internet as fast as possible.
Relying on US-based networks will not be a solution soon, as the information above suggested. It does not matter that such CDN servers are based in the EU, if the company, in this case, is in the US, then US officials can ask for information from these EU servers. Many users wouldn’t probably want their information exposed, therefore, this can be a privacy issue.
Our Steps to Prevent Such Issues with CookieScript
CookieScript has adopted a different strategy when choosing services to rely on. First of all, CookieScript does not use any CDN provider, it has its unique content delivery network that distributes requests to CookieScript’s EU servers. Moreover, CookieScript learned from experience and shifted from one service provider to another.
Before CookieScript used to use servers that were based in the Netherlands and its supplier was DigitalOcean, a company that is registered in the US. However, right now there are no ties with US-based companies left so you don't have to worry about where your data might go.
The new regulations are kicking in and CookieScript has made a move from one service provider to another. Since the company wants to avoid privacy issues, it has chosen to work with Hetzner, a company that is registered in Germany.
CookieScript also doesn't use any U.S. registered company as subcontractor.
With this move, CookieScript has ensured that it complies with the latest privacy laws that the EU has set out and its customers can have a safe experience using CookieScript services and not have to worry about where the information they collected might go.
Frequently Asked Questions
What is a cookie management platform?
A cookie management platform is a tool that manages website cookies. It provides a Cookie Banner that complies with all the latest data privacy laws and collects user consent to store personal information. Users also can opt out of cookies if they don’t want their data to be tracked. Try CookieScript – a reliable cookie management platform.
What is the new EU data law?
On December 1, the Wiesbaden Administrative Court in Germany issued an unprecedented decision stating that companies can’t use a cookie management provider that is relying on a service based in the United States to collect data, regardless of whether the data leaves the EU. CookieScript uses EU servers so your data can be protected at all costs.
Why Cookiebot is in trouble?
The Rhine-Main University of Applied Sciences website is no longer allowed to integrate the Cookiebot service on its website, The Wiesbaden Administrative Court in Germany decided. Cookiebot asked users to consent to the storage of cookies, but the process involved transferring data from website visitors to the servers of a US company. Cookiebot used a US-based content delivery network Akamai Technologies for data collection.
Why US-based companies cant provide privacy services in EU?
On December 1, the Wiesbaden Administrative Court in Germany issued an unprecedented decision stating that companies can’t use a cookie management provider that is relying on a service based in the United States to collect data. However, such a decision will not affect CookieScript and its customers, as CookieScript does not use a US-based company's services.
Is CookieScript safe?
Unlike its competitors, CookieScript does not use any CDN provider, it has its unique content delivery network that distributes requests to CookieScript’s EU servers, it has its unique content delivery network that distributes requests to CookieScript’s EU servers. CookieScript has cut ties with a company that is registered in the US, DigitalOcean, and chose a German server provider Hetzner.
What are the major data privacy laws?
In the European Union, the main data privacy law is the General Data Protection Regulation (GDPR) that was introduced in May 2018. In the United States, one of the most significant laws for those based in California is California Consumer Privacy Act (CCPA) that was introduced in January 2020. Cookie Banner from CookieScript complies with both of these laws.
What is CDN?
CDN or Content Delivery Network (CDN) is a tool that most cookie management providers use and it’s a geographically distributed network of servers that delivers internet content in a fast way. CookieScript has created its unique CDN to use for its services. Find out more on their homepage.